100s of Events (Id 5152) from Sophos Endpoint Protection on Windows desktops and servers (multiple versions)

This is a continuation of Sophos Endpoint Protection generating 100s of Events - Discussions - Intercept X Endpoint - Sophos Community, which is still happening and has never received a satisfactory answer (using auditpol to suppress these message is not a legitimate solution, because it indiscriminately suppresses reports of both valid and invalid 5152 events).

The aspect of the problem I'm reporting here is an apparent bug with the uninstaller.

We are no longer a Sophos customer (not my decision and the decision wasn't made because of this issue), but we are still seeing these events.  Uninstalling Sophos software resolved the issue on most systems, but not all of them.  (You might ask: why do you still think this has anything to do with Sophos?  See the earlier thread for some fairly convincing evidence.)

Note that this was never an issue with Sophos software by itself; rather it's an issue with interaction between Sophos Endpoint Protection and actions taken by Sophos through the Windows firewall API (at least that's the best theory I can come up with given the evidence that's available out there on the internet).  Note also that Sophos is not the only endpoint protection vendor that has this problem with the Windows firewall.

This leaves with me with the theory that, whatever Sophos did to Windows firewall, it was able to undo, in most cases.  In other cases, it left the Windows firewall's internal database in a confused state.  Perhaps Microsoft has most of the responsibility for this bug, but it is quite rare to see the 5152 problem on Windows systems without 3rd party endpoint protection and quite a bit more common to see it on systems that do have 3rd party protection.

It's easy to visualize mutual fingerpointing between the 3rd party vendors and Microsoft in this area, which is perhaps why the problem has continued for more than a decade.

This problem is also reported in https://community.sophos.com/on-premise-endpoint/f/sophos-endpoint-software/104223/100-s-of-logged-events-the-windows-filtering-platform-has-blocked-a-packet-5152-it-appears-that-sophos-end-point-security-is-causing-out-log-files-to-fill-up-with-this-error-and-may-be-generating-unnecessary-network-traffic-ahttps://community.sophos.com/intercept-x-endpoint/f/discussions/112965/sophos-endpoint-causing-1000s-of-audit-failures-in-event-viewer and https://ideas.sophos.com/forums/428821-sophos-central/suggestions/34754446-cannot-disable-firewall-monitoring (and in a number of places outside this community)

  • The installer of the Sophos Endpoint Firewall component, prior to 1.2 used to enable auditing of WFP events.  When you uninstall it did not disable this auditing, I guess because it didn't know if it was previously enabled or had potentially been enabled after install for some other purpose.

    1.2 of the EP FW does not enable it but equally doesn't attempt to disable it on upgrade.  So I imagine, that you don't see these events on newly installed computers where 1.2 was the first version installed.

    For existing machines with it enabled, running:

    auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable

    Should disable it.

  • Hi,

    thanks for bringing this up. I've noticed those many eventlogs on our servers but until today I could not see a relation between them and Sophos Intercept-X.

    And as reported by recently installed machines does not seem to have this issue.

    Problem is, that it spams security logs on servers where it drops out "real" security logs.